Description
Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
Active
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
Low
Availability (Subsequent System)
Low
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Affected products
- Alfasado Inc. / PowerCMS6.7 and earlier (PowerCMS 6.x series) – 6.7 and earlier (PowerCMS 6.x series)
- Alfasado Inc. / PowerCMS5.3 and earlier (PowerCMS 5.x series) – 5.3 and earlier (PowerCMS 5.x series)
- Alfasado Inc. / PowerCMS4.6 and earlier (PowerCMS 4.x series) – 4.6 and earlier (PowerCMS 4.x series)